How to decode this string in php?
$x = "h\164tp\163\072\057\057\x70r\157\x64\x75\x63t-\x73\x65a\x72\143\150\056\x61\160i\x2e\x63\x6a\x2ec\x6f\x6d\057v\062/\160\x72\157\x64\165\x63t\x2ds\x65\141\162\143\x68\x3f";
It looks like a regex URL, but how to read what it is?
Thanks.
just echo it out.
<?
$x = "h\164tp\163\072\057\057\x70r\157\x64\x75\x63t-\x73\x65a\x72\143\150\056\x61\160i\x2e\x63\x6a\x2ec\x6f\x6d\057v\062/\160\x72\157\x64\165\x63t\x2ds\x65\141\162\143\x68\x3f";
echo $x;
It outputs:
https://product-search.api.cj.com/v2/product-search?
Print it!
% cat test.php
#!/usr/bin/env php
<?php
$x = "h\164tp\163\072\057\057\x70r\157\x64\x75\x63t-\x73\x65a\x72\143\150\056\x61\160i\x2e\x63\x6a\x2ec\x6f\x6d\057v\062/\160\x72\157\x64\165\x63t\x2ds\x65\141\162\143\x68\x3f";
print $x;
?>
% ./test.php
https://product-search.api.cj.com/v2/product-search?
It is actually a string with some characters specified in hexadecimal and octal notation. Just echo it.
just print it, its a url
https://product-search.api.cj.com/v2/product-search?
Well, I created a PHP page as follows:
<?php
$x = "h\164tp\163\072\057\057\x70r\157\x64\x75\x63t-\x73\x65a\x72\143\150\056\x61\160i\x2e\x63\x6a\x2ec\x6f\x6d\057v\062/\160\x72\157\x64\165\x63t\x2ds\x65\141\162\143\x68\x3f";
print $x;
?>
and ran it.
And I got the following:
https://product-search.api.cj.com/v2/product-search?
Which means nothing to me, except that cj.com is part of Commission Junction, which is an online advertising network.
It's been deliberately obfuscated, so clearly the person who wrote it intended that you didn't notice it or understand it, and would leave it alone. I don't know the context of the question, why you're asking about it, but my guess would be that you've been hacked and someone has inserted this code (and more) into your site.
If that's the case, their aim would clearly be to gain some advertising revenue by freeloading on your site. Not particularly malicious as hacks go, but not something you'd want to be happening (especially if you don't know what kind of ads would be shown).
Simple:
utf8_decode();
http://www.php.net/manual/en/function.utf8-decode.php
Related
I'm maintaining a PHP site that is very old and very funky.
Last night the site got hacked. I found this one file that I'm not sure if its from the hackers or from the aforementioned funkiness. Does anyone know how I can decode this:
<?php
eval("\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'TZfHDoTKEUX/xRvbYkEeQJYX5JyHqLch55z5eo/9LNmLUqu7C6kpinNvF2fS/+0vf9wf/I+b+PxG+BfsHzdC/kbit0b/RuoX/C8+f+79O4fA/nzmP3nIf9fQP9fQXx7628eF3/y/eZ9/7/3fHCH/evsNym3Bpyuh0IBxrg5Vdov85z16tZCRZz0Vv1+JgmwxLj8EoLkEJusq3WlNCf9UJHTiIHhqklMwYMh+7/ZkVpQhQ3uFWiDBbgJqQGW9RVAb0e9NugBo6SDY1SA8cyB8c+ELQmhWCjmInRaglgVI3s6nAYszr4u2mK0q3QtSmT7sMYk8SQ/gNbJafcDXBAPCGPdIAEFiyLY80g7iYfiH8MWA7FW1fa4AAZhVp/U/PDp8JPOopKb28oqAr9HiLFQUgjVI3/YNQHomNQ/QwvSrhRGacnI+XvYbTEmzeC/4vVFghPO0u/zZo1YsBEGgi2WQ2m2qoUAA/RUBzxb9uZ3yDGBtJar3ge1hm9495eLvRj4K3Y2o36wOHATSbXcZCIciQqzR65S14HfYHcn07if+1xWr9KKsshV9gfSurwjtDZ9a0hdnNj6eXlm7afAxPiLN+unjOTzgSmddoDYf3EyWBVdqOxPFHTadRbZIhw0B0zqrZnLbeOkgFFFN0vtlHCp1z3qIbqrrVdCKO7xkQsD5klfrysOw0xjK4jG+zPT6TgBFhPzg5eDV6gDP59CXjUcNmxmNl9X7FszHwPN6yxsBonxjoNMlBc5WIfH8FqMCCGvLfdeuELA8cI/cTVTygxOaESbsp4exwB9TESI8+is3dsSUBq6E70cqa3G3JvdB2MG/3gDrTVa4E3sZ22XJyk+UBYetx0b1tjbd4W9bzlQs1DFMwCMN7Vq2ncAlk2IKCsjoYfgkNygyO0+6ofYn1IKDOC41FmILxsBWbcg+wyJg1wFSRENCmqYsL6pzwTQ9OO9rKx/0M79QtJpKvUWGGGZBzN5UYAgDWCfFzSV1I7n3IK3cimStzuQnM96EN89Xe0UgLtSiJLwq2xEurBNdldqBtLowDWSS8mTuyJ3pCSMmrhYAMzCeDET4FVB3jMQHUKbYSRnum0eT3nY+eSgJ+bwTrN2G1sO38as1gWtEtRhJkuwTrhy3PJHJS/Z2POBaa+x7Ia9pJw3K3uPfhYhLtHgahMCbltjjsybEjeMjZ6VAectkJ41sKZR2JahndDEgP9r2dsdbsUeKxJY0bb4ygaSW09ESKnaL2/Qn1TfxVEqwUfGMTiUX8F1HVgrw22Owz94Q3bjIWdLFK3rePt0lTzxYGVWH6HytOuJWOg9/qSCNHMYaWzQLHGPQKp9JjqHrc8qjALWgb9P+aO2MqlA74Pq2x/55jMn7UWO6uWvNLVYVLnh6bb/3dfpUF7ZGYCuiKeLv2bLRsdJbp67+DyUerheBk/PY0j4VkjpZEROdkEihYuzSoqxTNCQSq8JHu0s3uWpePI5x2kisdpM04oEqrZEIPRiEObmndcAkgJGfrFc6pF9BrdcwU03Wmnk9q9eL1KxVZQ+Y+dJ5rzh7Km4Vwgy7xRRuq8sBk80q14m7bV1S6wWy44qV71DKQVpZv8+Yiw3Gy/H1nYkXia995hG8bG6uxfvX8J/oxzp6Zkqztz/KwysXYS79pCeH//uHyPnjDjXh+Xx7WWIn9J42nZ3Mh1/FB2Ap8KKrx+ab+zhIg1FMcVJa0+1wTQ8HzMz4M1CfIpOmID01TLtLinIMIqqcuwnT0GHLYp6/ZfDyp5bP8HNAyTTYyCwLVZXn469i9sVa2foV1OJtfXAhCKBYVJbJyuCT8jJOvVxUthM62bONjDb6VZ927umSGXPKqWMGeBoHAwirEECxKxXi+7mh6OS/x1hFErDmdjXvvN4kvPl8pBRbnxdpv4RlNRdb3BOKRBYyQFL1VF+y+qgVRfjkxIyr6pCavxts953HuGFVX9Ug9CvS4Fv3PGoUrAP0MLiDKFL7SULKb0QGhEDHcl7NQKCSuVNvvHgf24Odtobi6CVHRoaW1wB/jiJaNpWKzFpcAb+HKKQ2gNEEPXRu6Bxh7XBmFEp8l+BTwft+DFmseOD9dam2N5jD1/Qu4thRfEyKOZl7Ib7AXUgF31jxsWhT09uH8Fnddeu8SapyhjybIZVvtxBpD0PqkRYueUQ6cxeC9MfgbEGVyGigMUnilCz155uGQ5lK3nXHUpclFrhdjHHuzoYNAh0M2VM2SWn0RmdQUjt6Hh0SxmN3IVSAS0AYdBTZ14C+s8z7BR1m4B4vLi7O73Sc5FdKUnl1WaM4rXm2YkUJHM13wvi+/dsHPGdQjnd+x7ie2IcXGDZTHfC2vB1iIfQGMGZmpDQMmDfoMGe5aCxI7w7FSbSKL+JL2LuCiNEQyaf0hTYSYK7qewTyOPZawfXA+ssAfkT7TJqpvFbVNrFuT3YzJ/m3z2NNM5p8uJwOnq5zSA8HoGFRzW8O4kb2IQtmN4Zxq62ekmE441ES3ZS1NaAw/q4AOVb99WJmo9YWG4o/vXx5GMpQiv2qKsUkAwh3j5iEKZI8ZdcDZ55vhJ544MHGXzFUu2WtyI2rdL0kOoxnQoNBcWCIegRY4SjBORZmRedqeMN38us5c2wH7kRSIWEeVY+M30c6nQYtaHs7X5uLzPjR0hFgYMgiHiFllaDvgN21ru6jjbyFPI8cVzUU4tg6x7iZ1lq3wQd0Ch+sDNlC6g2Ykg1wOY32p/D6eO2Sc2rkmGojFsXnJN3XpYffUxe3iqd58yJSiJ38Dia+zQXLN08n+c1YWW1M91x2/uNKP/VIL+tgSAOkozWfp0TBOnKFjxcJbcdEC+lip9J6mKN33l/hfZAOTYGaxoRH8u8X01jqo2i71617BQmdEkZm1D/g1gGyOo0QL7eIUdGsKRVG3iutQMPelPlDmyKLAixw1ZQETau2OjkGa86NJ2KiQtZnz5FZBFHGZspyMwuIfq9mg8oQ3m2SNMUJzkrHqhIWwT8hj8ZMIApXSWL5IWoDM8Wfn+BIbKTyzCXATPzKnxOql0P/gc66f2Ax6m/nH5KBIB6ssYp0azXHGdcaB0vZ1kFIAJcWkDNnsvEzAGdEfKi8gS+mrYjWaIk8DN2CQ1imYt8n5O7Iva6BwiCOj5vvkYCqqP4YgYw1GdN3RQ3D7dfvEbSZuc3m1UGw9IgtPJSfNelJpuha3mT9mHi5vB0QvCnGB+dulphIVYCAhoz6GoY4d9J17ZA++UNCDulyd1LqLxbukILrr7+n7FzC1Stefa/dyA/xt2HCEzBkP3dmbPAbg/CkAifqQlmuz8ox7EqLJ0CNtS/crHDmfjrTWlT0ovXpXR5nr7z2GUMxIyZN1D8JZeAvHq99uCLK6ONs2leoe2mKEVf0zVZI8kr+3jE2B0T2dofq6Ve+QU4RkSC48xOc7lCD5nq+HbysvlJwJJZQi1OweVF0H/bnf2xpRKv3kofKdfkCfriaApxXzpr9yTFS9COrtIYy8XGGh6zX/1W0RJVTbyKiY9eXKt3J3+bSWTNoG2nKyYd1TQPyTnYW7galvqRM4CT9UwAea77vcEy7CK1bTPk9RywTj//eGbOsdJig1yeVbUQNPwC4xosmIKOgJyzVO0Gt0jk68q7g2R4Uvw5W/HDIkVCBnZYcb5iGmeIQGDhQZJ3qII4S8FFa/f2w/SJH85jv7ddicpiUdd3NyWOMONRf4644aeHdzR/cWlJ5wvBZrp/Zt3/NiNYfG7PWnwvHgI5CVHPMvGNbBUd0Xcr/6DqQKFZUZzutdmw02yateN07fHEgVo3ok8799mRbOso+Ie8ZKP9cli03eiAYzu5mxJFpXeXNq1uZjVyyUlROA1Y22e8WZ578Tfh8KEF5d/UblBlfN6aAt4tjKaYyU3vOVk5jiJmCCvqoOmQsg9j8SASS+WrCwwutsgZ8QxOV31S0tM5v7cwsQDrQ8HWHwtGR+BmFURfI6NJrc0QBKyDgRlHUuKqeDq+H1vthpnT/VfQZKwqdcZhyAExRjOOT0UE8oPMMc1TfexwLID9vZXhr4cLcAFx8SALtB/vKJcnHhyWPjeLGfs5dcgGMyVVFlfGKKFYaj7DkaTydmXfrScHFw7fgzGwPFitk15+mXAfJG9L5w7oS4Aae3GHRIu1upG2Vz/0iOl83MayffcgGjSrwHi6nqdK14KYBz0Xuwe1lmTconw2VBXmC7zJEyurUkJyzxaVVZrGWnlV1ijXrJVlTRy1TsGo7Z/zIuAVy3KeHYLDDl+4sd+fdX2CTIS55/HkcOOqNQog5L+vhJi3kEmgquuV50w0n7I+p3epCQoQ4enATrXqvfqktv4fkG/sNrFPuCU7XwDec92uYfOQNiyJuNq27xICTJpYH1heBJgQRzaqSbdUarDENQnbfpQgUGBhixUy4t2ZjLfP0eH/fRF6tlUqWFA6yu8WEojF46/N0i6bmKquSwtZJTxUOCnR82XQBSweKw80Z3tgbC922kYmVsrKhcFp3NLdCrJjU3erW+U2fPili+29+xodAEMeARtHRwMpq5NYyfXAqw2f01YaTwZ1DIoGE1nvaeg1ietBIcBDunFoqodOTC8/9yaiMyN/Hdkq1pL5JYI3Uw2bXVe+/5j9v7y5h3aRy5dZQXrqb5OvRSAh0xAMeyWBnywKA7gtw9jQKx8rWm28sl8mWZWy8yh7qvZduFavsXck7VVAZ4Ydk6ESmnFe9wezAcGJk6bWzNd2+xxBrFV/fse/X7YrrnvOHLzHWZU7eYON5dZoLpcJLvSrjs1sJJ8EvGrlxu1fDrZjDLscAbSzsjuDMj/TCFOx1tKT2W6XHCwanK7BBph6nIGCUhg6lvmLlT0OGomUYK+d0pIu/xLQE+jXyyffNk6XxhJIvF8fAShEdeQ8l9M19qtlkeOkBnWEQBzE9U7i3EeHnT5nllULW+yDoSl5eyL0aym7azTqS6wd1oj1waD9gaIVZqqGVsXArsTj2MMZUKlSGqzkLoFjb1olriLaedfRiMYD3LtwgKvDjKkzL11sKWAO/y+dAb1/NTFY1l53I6BuFPjAU9zF5ZsZrG1qhh06KymZg8p+v0n8IvN7bllc7Zr5JFMKPEGkEwWkIaZEQPb4G8W23Q6yxWUIgGBcKsuWJyDAO7bru9VFwW1TGHG7PZ+YP+10iRhxuPsM1sGGYLj71KiXj5aqKnyH88Bp+KghmgJGdzlqUYT8rXnVFlhD7HlMUd7L+A0oKrxTUjHL3Qwg2Bqqwwn9knFZYzjdfk/2dAe1SjNgiEykY8bTPK4KwcpmNZTFztFfXfItXvcjhZWo1z9pciEN3ck3yLUk9HWRTo3571p0JOHUc7ys6pc4v7SJAYOQBb2/YtOPazkI03ErvafrztLNUR4C8YR03tMB7X95X1bRdbpBVXK8ShXG7ST8QQHVWKckB5PMj6qPgSLRNxHym76FVVHFKNdZIx7hTlS9T9WdxRO88jG/8MECtd3Cjor6D/9jMCRrnJmLgw1eD7fPHIYct9NUnL5EghzSzsjZqqC9lKA7WqoebsRWBJdosphTlaHP3Zry7c8NCrNUkVXpsT5IR68t+OPLWh+QIMCGcVnPkZ4MQtz0zTblC5Wx2zImqfY2gzc8A4MIMzeGSePox95smMxrJlME9FKJpei0VKz7cwpe4gnDpCgOOndjcJm81yhZMjtm59xIR+hsJy7xyJykc0nuUP4xZPW6+cVn4iOev1c9O/7qhqGpU9SNh1/Fvqm+VAYbfSHlIfCZy5TBF/Q5036MvzWPzEPhhRggcwW8K39/w3wW/kHJo0c6dTzFXlDBBCsJNjzdzHWY/GTcEEPPPJ7EVtwFwDYu9hihyDa+slEsEo8ujG6/s27kRFlORXLArt0/HEgR2oCL/+dc/boT6X6DMX/7+j38B'\x29\x29\x29\x3B");
?>
thanks,
Jack
Replace eval to echo. Repeat
http://pastebin.com/3X2FcvW3
this displays the name of a group, but sometimes the names of the groups are really long and break the layout. How can I limit the result to maybe 20 characters? Thank you!
<?php echo $group->getName();?>
There is a php function for it. It's substr(). Your example code would look like:
<?php $length = 20; ?>
<?php echo substr($group->getName(), 0, $length);?>
If you want, you can add some extra features like check the length and if it's longer than $length than cut it and add "..." for users to know, the text was cut.
I found this to work. Sorry this question seems to have annoyed some of you, but I want others to know how I fixed it.
<?php echo substr($group->getName(),0,25);?>
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
This is probably a very simple one to be answered...
I have a piece of code which I need to pull a certain piece of information.
<?php echo $this->getLayout()->createBlock('cms/block')->setBlockId('XXXX')->toHTML();?>
For this to work I need the XXXX part to pull the result of the following query:
<?php echo $_product->getAttributeText('warranty') ?>
So the output from the above query will then be the information needed to go in to XXXX.
This markup is completely wrong below but should demonstrate the idea I am trying to achieve:
<?php echo $this->getLayout()->createBlock('cms/block')->setBlockId('<?php echo $_product->getAttributeText('warranty') ?>')->toHTML();?>
You just have a redundant PHP opening <?php inside the code. You are already in PHP context so you can do that call directly.
<?php echo
$this->getLayout()->createBlock('cms/block')->setBlockId($_product->getAttributeText('warranty'))->toHTML();?>
However, this is quite complicated and difficult to debug. I would split it in several lines and use variables... remember that you can do it in that context, you are not bound to do everything in one line only :)
Maybe as simple as:
<?php echo $this->getLayout()->createBlock('cms/block')->setBlockId($_product->getAttributeText('warranty'))->toHTML();?>
If not then I would very much like to know what kind of var (array, int, string, double etc) the setBlockId function needs and what $_product->getAttributeText returns.
echo $this->getLayout()->createBlock('cms/block')->setBlockId($_product->getAttributeText('warranty'))->toHTML();?>
<?php
echo $this->getLayout()
->createBlock('cms/block')
->setBlockId($_product->getAttributeText('warranty'))
->toHTML();
?>
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.